Use PowerShell to Install Active Directory Certificate Services

In this blog article, I’ll use PowerShell to install Active Directory Certificate Services in my test environment. The domain controller that’s being used is running Windows Server 2012 R2 Server Core Installation (no-GUI). The workstation that I’m using is running Windows 8.1 and it is a member of the same Active Directory domain.

Many times when I’m prototyping something on a single remote server, I’ll use one to one remoting so that it’s an interactive session. The Enter-PSSession cmdlet is used for one to one remoting as shown in the following example where I’ll establish an interactive session to my test domain controller named dc01:

Enter-PSSession -ComputerName dc01


Notice that the prompt is preceded by [dc01]: once the PowerShell remoting interactive session is established. Any commands that are issued while in an interactive session are executed on the remote computer that’s specified in those square brackets.

In the previous example, I was logged into the workstation that I established the interactive session from as a user who has rights to establish an interactive session on dc01, but that probably wouldn’t be the case in a production environment where you would need to use the Credential parameter to specify alternate credentials.

Before jumping in head first and trying to install something, first check to see if it’s already installed. In this case, I’ll check to see if certificate services is already installed:

Get-WindowsFeature -Name AD-Certificate


To install Active Directory Certificate Services, simply pipe the previous command to the Install-WindowsFeature cmdlet:

Get-WindowsFeature -Name AD-Certificate | Install-WindowsFeature


There are a number of PowerShell cmdlets for deploying and administering Active Directory Certificate Services:

Get-Command -Module ADCS*


One of the gotcha’s about working in a PowerShell remoting interactive session is that the ShowWindow parameter of Get-Help doesn’t work:

help Install-AdcsCertificationAuthority -ShowWindow


Specifying the WhatIf parameter with Install-AdcsCertificationAuthority allows you to see the defaults that will be used without specifying any parameters (based on the help, no parameters are required):

Install-AdcsCertificationAuthority -WhatIf


For this test environment, the defaults are fine so I’ll run the cmdlet without WhatIf:


An ErrorId of 0 indicates that the role was installed successfully.

To exit the remote interactive session, simply use the Exit-PSSession cmdlet: